Configuring vCenter Server and ESXi to Use the Same SSO Identity Source

For the most part, the same group of admins will end up with a need for administrative access to both vCenter Server and ESXi hosts. To facilitate ease of administration, as well as to provide a clear audit trail, ESXi and vCenter Server should authenticate user access through the same identity source. This article will outline how to make ESXi 5.1 and vCenter Server 5.1 (with a little help from Single Sign-On) authenticate against the same identity source, as well as give a group of admins access to both.

Configuring ESXi Authentication Services

First, we’ll need to create the ESX Admins group in Active Directory and populate it with users. This is the group that ESXi will give administrative rights once ESXi has been configured to authenticate versus AD.

Next, we need to configure our ESXi hosts to authenticate against Active Directory. This assumes your hosts are already available within vCenter Server.

Web Client

2. Fill in your domain name and give proper credentials to join the domain, then click Join Domain. Note that prepending the domain name, e.g. DOMAIN\User, will cause authentication to fail. Either use the user@domain.tld format, or only the user name will suffice.

You should now see the Active Directory domain configuration as below.

C# Client

1. Click on your ESXi host in the Hosts and Cluster inventory view, then click the Configuration tab and Authentication Services under Software

4. Give proper credentials to join the domain, then click Join Domain. Note that prepending the domain name, e.g. DOMAIN\User, will cause authentication to fail. Either use the user@domain.tld format, or only the user name will suffice.

You should now see the Active Directory domain configuration as below.

To show that authentication is actually working, I’ll SSH into that ESXi host and log in using Active Directory user credentials.

Configuring vCenter Single Sign On

Since I want my vSphere administrators to be able to fully control my entire vSphere stack, I’m going to give them administrative rights in vCenter Single Sign on.

1. Log in to the vCenter Server Web Client using the admin@system-domain user.